Information is the most valuable and fundamental asset in the financial sector as it plays a major role in supporting the business operations and facilitate an organization to achieve a competitive advantage in the market. Information is valuable and critical; it is also vulnerable to a variety of attacks from both inside and outside of the organizations. Currently financial sectors are repetitively attacked by cybercrimes in addition to other internal and external attacks to their electronic payment system which is costing them in billions and affecting their business. To address this concern, it is indisputable to assess information security management practice in the financial sector card banking system using international information security standard as a benchmark and identify gaps and recommend the best security practices to help the financial sector to meet the standard security compliance.
In this regard, two financial sectors were selected using purposive sampling method that issues electronic card and card PIN among the total financial sectors in Ethiopia which includes banks and e-payment processors. Regarding the target population, all the IT staffs in the two selected sectors were included to be part of this study. Thus, quantitative data was collected using PCI-DSS security standard questioners; twenty seven questioners were distributed and twenty five were filled and returned which comprise 93% among the total distributed questioners. Further to the questioners, observation and document viewing was made to strengthen the respondents’ information. Accordingly, the data is processed using IBM SPSS Statistics V.20 tool.
The result shows that most of the essential security practices and management activities in the financial sectors doesn’t comply the international security standard. In this regard, most of the indispensable security requirement that would address the financial sectors from security risk is below the acceptable level as there is no periodic vulnerability assessment, no access control in some critical areas, password policy and procedures is not implemented on some critical components, no change management procedure and information security policy is not maintained to be carried out in the daily operation. In general, the study shows that information security management and practice is not well maintained to address the current information security risk associated to the financial sector. Furthermore, this study identified the major security factors that prohibit the financial sectors from the PCI-DSS security standard compliance. Thus, the study provides directions and action items that can support the financial sector to be security standard complaint based on the findings.

Description:

A Thesis Submitted to School of Graduate Studies of Addis Ababa University in Partial Fulfillment of the Requirements for the Degree of Master of Science in Information Science